Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/4/2013
12:06 PM
50%
50%

Do Antivirus Companies Whitelist NSA Malware?

Microsoft, Symantec, and McAfee fail to respond to a transparency plea from leading privacy and security experts.

Dear antivirus vendors: Are you aiding and abetting National Security Agency (NSA) spying?

That's the subject of an open letter, sent in October to leading antivirus vendors, from 25 different privacy information security experts and organizations. The letter asks the vendors to detail whether they've ever detected state-sponsored malware or received a government request to whitelist state-sponsored malware, and how they would respond to any such requests in the future.

The letter, sent from Dutch digital rights foundation Bits of Freedom, requested that the firms respond by November 15. "Please let us know if you feel that you cannot, or cannot fully, answer any of the above questions because of legal constraints imposed upon you by any government," it said.

"Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products," letter signatory Bruce Schneier, chief security technology officer of BT, said in a blog post. "Given that it engages in offensive cyberattacks -- and launches cyberweapons like Stuxnet and Flame -- it's reasonable to assume that it's asked antivirus companies to ignore its malware. We know that antivirus companies have previously done this for corporate malware."

As of two weeks ago, however, only six security vendors -- ESET, F-Secure, Kaspersky Lab, Norman Shark, Panda, and Trend Micro -- had responded to the request for information. Even so, the news was good. "All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher," according to researcher Ton Siedsma at Bits of Freedom. "Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply."

More recently, meanwhile, Avira CEO Travis Witteveen reported, in a letter to Bits of Freedom, that his company likewise had no time for state-sponsored malware, and said the company would change its headquarters to a foreign country if the German government ever ordered it to ignore any type of malware. Likewise, the CEO of BitDefender, speaking by phone, said that his company had never received a copy of the letter from Bits of Freedom, but that his company would never -- and had never -- whitelisted any form of malware. The company plans to soon publish a more detailed statement on its website. 

No malware is harmless

That, of course, gets to the crux of the matter: Is there any such thing as benign malware? Most, if not all, security experts would argue otherwise. "All the aforementioned companies believe there is no such thing as harmless malware," Bits of Freedom’s Siedsma noted.

Hence it's odd that US-based McAfee, Microsoft, and Symantec all failed to respond to Bits of Freedom's letter before the deadline. (Siedsma at Bits of Freedom didn't immediately respond to an emailed question about whether any have done so since then.) Ditto for Agnitum (Russia), Ahnlab (South Korea), Avast (Czech Republic), AVG (Czech Republic), and Bullguard (United Kingdom).

Firms that did respond, by contrast, were largely outspoken in their attitude toward state-sponsored malware. "We have a very simple and straightforward policy as it relates to the detection of malware: We detect and remediate any malware attack, regardless of its origin or purpose. There is no such thing as 'right' or 'wrong' malware for us," according to Kaspersky Lab's statement.

Likewise, Christian Fredrikson, president and CEO of Finnish antivirus vendor F-Secure, argued that malware has no shades of gray. "If it's malware, we will protect our customers from it," he wrote to Bits of Freedom. "Our decision-making boils down to a simple question: would our customers want to run this program on their system or not. Obviously the answer for governmental Trojans would be a 'No.' "

Ignoring malware of any stripe leads to collateral damage. For example, take the Stuxnet virus, which was allegedly developed by the United States and Israel under the so-called "Olympic Games" cyberweapon program, and which was designed to sabotage the high-frequency convertor drives used in centrifuges inside the Iranian nuclear facility at Natanz.

Security firms, in fact, were the first to discover Stuxnet -- in July 2010 -- and soon began sounding related warnings. While Stuxnet was designed to not cause damage to any other systems outside of Natanz, it did infect numerous other systems, for example at energy giant Chevron, triggering panic and cleanup costs.

For the record, whatever antivirus vendors' attitude toward state-sponsored malware, whether or not they detect it won't necessarily stop the spread of such malware. In part, that's because for an antivirus firm to spot malware, it first needs to have seen the malware, recognized that it's malicious code, and written a corresponding virus signature for its products. In addition, intelligence agencies no doubt work overtime -- and occasionally make use of zero-day vulnerabilities -- to ensure that their malicious code escapes detection. They're probably quite successful at doing so. For example, leaked documents suggest that by 2012, the NSA had installed malware on more than 50,000 PCs used by US government targets.

Given that level of success, it's unlikely, argued Schneier, that any intelligence or law enforcement agencies would try to tell domestic antivirus firms what to do. "Antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies," he said.

But if that's the case, what's to account for the silence from McAfee, Microsoft, and Symantec, and the other antivirus firm holdouts?

 

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
brianmooreDR
50%
50%
brianmooreDR,
User Rank: Apprentice
5/7/2014 | 5:05:51 AM
NSA uses some antivirus software to spy thousands of computers
Things are easiest :  NSA uses some antivirus software to spy thousands of computers.


When you have access to the antivirus software, you have full admin access to the whole computer : files, network, USB, ...

Antivirus software watches all processes on the computer but nobody watches antivirus software ..

Antivirus software can read file and send data to distant server.

Users cannot distinct normal antivirus scan process and updates and data spying ...

 

 
Michelle Schenker
50%
50%
Michelle Schenker,
User Rank: Apprentice
2/6/2014 | 7:16:31 PM
Re: Good news/bad news
I too am impressed but not surprised that the Europeans were quicker to jump on board before the Americans. BItdefender always seems to be ahead of the game from all the research we've conducted over the years. Glad to see they are doing their part to keep the NSA as honest as possible. If anyone wants to read more about what sets Bitdefender apart, here's a helpful review that we put together with our findings: http://www.asecurelife.com/bitdefender-reviews/  And, if you find anything that needs updating, I'd love the heads up on that too. Thanks! 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/6/2013 | 12:49:16 PM
Re: Good news/bad news
It's great to see Avira and Bitdefender respond to the  transparency question about NSA malware from Dutch digital rights foundation Bits of Freedom. Now its your turn, Microsoft, Symantec, and McAfee!
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/6/2013 | 12:37:33 PM
Re: Good news/bad news
Update: two more AV vendors have come forward -- and we've updated the story accordingly. Avira's CEO has sent Trail of Bits a letter saying it hasn't, and won't, block any malware, full stop. Ditto for the CEO of Bitdefender, who said that his firm first learned of the open letter via the press, saying he'd never received a written inquiry from Bits of Freedom. 

Do any other AV vendors who haven't responded want to make their views known?
DREGstudios01
50%
50%
DREGstudios01,
User Rank: Apprentice
12/4/2013 | 2:51:59 PM
Re: Good news/bad news
The dystopian fantasies of yesteryear are now a reality.  We've allowed the coming of an age where the civil liberties our forefathers fought so hard for are being eroded by the day.  Freedom of Press, Freedom of Speech and Freedom of Assembly are mere ghostly images of their original intent.  We've woken up to an Orwellian Society of Fear where anyone is at the mercy of being labeled a terrorist for standing up for rights we took for granted just over a decade ago.  Read about how we're waging war against ourselves at http://dregstudiosart.blogspot.com/2011/09/living-in-society-of-fear-ten-years.html
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/4/2013 | 1:24:37 PM
Good news/bad news
Kudos to the six AV vendors who responded to the Bits of Freedom request. As the for the silence from  McAfee, Microsoft, Symantec and the other holdouts, it's deafening to say the least.  At the very least, they should justify their lack of transperncy with their reasons why.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.